Saturday, December 7, 2024
HomeCyber Security NewsChinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Published on

SIEM as a Service

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and government entities since 2023. 

They employ advanced techniques, including exploiting vulnerabilities, lateral movement, and deploying multiple backdoors like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, which have impacted Southeast Asia significantly. 

The group makes use of a sophisticated command and control infrastructure and collaborates with other Chinese advanced persistent threats (APT) groups to share tools. 

- Advertisement - SIEM as a Service

While some overlaps exist with FamousSparrow, GhostEmperor, and Salt Typhoon, definitive links remain unclear. Earth Estries’ persistent and sophisticated operations pose a serious threat to global cybersecurity. 

Campaign Alpha overview

Earth Estries, a highly sophisticated threat actor, has compromised over twenty organizations spanning a wide range of industries and geographical locations.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

They exploit N-day vulnerabilities in public-facing servers, such as Ivanti Connect Secure VPN, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange. 

Post-compromise, they employ living-off-the-land binaries for lateral movement and deploy custom malware like SNAPPYBEE, DEMODEX, and GHOSTSPIDER to conduct persistent espionage operations. 

The group’s well-structured operations, with specialized teams for different attack phases and regions, indicate a high level of sophistication and resourcefulness.

The C&C with open directory vulnerability

An investigation into targeted attacks in October 2023 revealed a C&C server (23.81.41.166) with an open directory vulnerability, which hosted malicious tools including frpc (linked to a ShadowPad SSL certificate), PowerShell scripts (similar to GhostEmperor’s dropper), and SNAPPYBEE samples (identified by a specific shellcode signature). 

The attackers used these tools along with the DEMODEX rootkit to compromise systems, which involved a first-stage PowerShell script requiring a decryption key and a second-stage service loader using the computer name as the key.

Both components employed control flow flattening for obfuscation. 

Core-implant malware configuration (C&C: 103.91.64[.]214)

Researchers at Trend Micro analyzed the C&C infrastructure of a backdoor named SNAPPYBEE and found connections to UNC4841 but lacked evidence to definitively link them. 

The attackers used SoftEther VPN to mask their activity, as victim data, including financial documents and government information, was exfiltrated from a US NGO, while LOLbin tools were used for lateral movement. 

In a separate campaign, GHOSTSPIDER, a sophisticated multi-modular backdoor, was discovered, which uses a custom TLS-protected protocol and various modules for different functionalities. 

The communication format involves a connection ID, action codes, and data separated by pipes, where GHOSTSPIDER’s modularity makes it flexible and difficult to analyze. 

Campaign Beta overview

The Earth Estries APT group has changed their DEMODEX rootkit installation method, as now they use a CAB file containing encrypted configuration and a shellcode payload instead of a first-stage PowerShell script, which makes analysis more difficult because the additional information is deleted after installation. 

It uses MASOL RAT to target Linux servers in Southeast Asia by leveraging various backdoors, including DEMODEX, GHOSTSPIDER, SparrowDoor, and CrowDoor, but the attribution of some backdoors is uncertain due to shared C&C infrastructure. 

SNAPPYBEE and Cobalt Strike are also utilized by the group in their attacks, and the TTPs of the group indicate that operations may be carried out by diverse groups.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...